AMENDMENT TO THE CLAIMS 

Please cancel claim 36. 

Please amend claims 1 , 3, 23, 30, and 32 to read as follows: 
Please add new claims 44-49. 



LISTING OF THE CLAIMS 



1 . (Currently Amended) A method for implementing an intrusion 
detection system in a network, comprising: 

receiving a request from a central server at a software agent program 
installed on * - of a plurality of remote computers to initiate an intrusion detection 

service^ ^ -° \wv - wherein the 

request is issued by the central server in response to a notification of a network 
intrusion w ^ , ^ s ^ s , s s ^ \ , \ ^ •, ^ s ^ s 



installing intrusion detection software on said remote computers via said 
software agent program "* ^ ^ \ o„ ^ . o ^ , N v , , and 

executing said intrusion detection software on said remote computers via 
said software agent program. 

2. (Previously Presented) The method of claim 1 further comprising: 
receiving from the central server a request to terminate intrusion detection 
services at said software agent program. 



3. (Currently Amended) The method of claim 2 further comprising: 
monitoring for fulfillment of a stop condition 

- SN v N x " v v \ N ^ s \ % ° o.a \ % ^ 
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4. (Original) The method of claim 3 wherein said stop condition is 
based on network traffic conditions. 

5. (Previously Presented) The method of claim 3 wherein said stop 
condition is an expiration time. 

6. (Canceled) 

7. (Previously Presented) The method of claim 1 further comprising 

the step of: 

selecting said remote computers from a plurality of eligible computers. 

8. (Original) The method of claim 7 wherein said selecting step is 
accomplished based on a network map. 

9. (Original) The method of claim 7 wherein said selecting step is 
accomplished based on a knowledge base. 

10. (Original) The method of claim 1 wherein said request is verified 
using a cryptographic authentication scheme. 

1 1 . (Original) The method of claim 1 wherein said request includes a 
stop condition indicating when to stop executing the intrusion detection software. 

12. (Previously Presented) The method of claim 1 1 wherein said stop 
condition is an expiration time. 

13. (Original) The method of claim 1 1 wherein said stop condition is 
based on network traffic conditions. 



4 



14. (Original) The method of claim 7 wherein said request is verified 
using a cryptographic authentication scheme. 



15-22 (Canceled) 

23. (Currently Amended) A system for detecting intrusions in a 
computer network comprising: 

a plurality of computers executing software agents; 



a database configured to store at least one rule defining at least one 
response to a network intrusion .ra 

wherein sa i d a rnntrusion detection server is-configured to send a request 
to install and execute intrusion detection software to software agents at the plurality of 
the computers when intrusion detection services are needed based on the at least one 
rule stored in said database -\ ^ o N . ^ ^ ^ v ^ v v"^ . N 



24. (Original) The system of claim 23 wherein said intrusion detection 
server increases the number of said plurality of computers executing intrusion detection 
software when a network intrusion is detected. 

25. (Original) The system of claim 23 wherein said intrusion detection 
server changes the number of said plurality of computers executing intrusion detection 
software when the level of network traffic changes. 

26. (Original) The system of claim 23 wherein said intrusion detection 
server changes the number of said plurality of computers executing intrusion detection 
software depending on the time of day. 
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27. (Original) The system of claim 23 wherein said database contains 
information about the plurality of computers. 



28. (Original) The system of claim 27 wherein said information 
includes a map of said computer network. 

29. (Original) The system of claim 23 wherein said database contains 
a knowledge base. 

30. (Currently Amended) An article of manufacture comprising a 
computer-readable medium having stored thereon instructions adapted to be executed 
by a processor, the instructions which, when executed, define a series of steps to be 
used to perform network intrusion detection, said steps comprising: 

receiving notification of a network intrusion at a central server; 
transmitting an intrusion detection software installation request from the 
central server to a plurality of remote computers in response to the notification ^ v N 

o ^ N o ^ N N . N \ N , Ns \ and 

installing intrusion detection software on the plurality of remote computers 
via a software agent program in response to the request. 

31. (Canceled) 

32. (Currently Amended) The article of manufacture of claim 30, 
further comprising the step of selecting said remote computers from a plurality of eligible 
computers ^ N s s N , a " N a n , ^ N 
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33. (Original) The article of manufacture of claim 32 wherein said 
selecting step is accomplished based on a network map. 



34. (Original) The article of manufacture of claim 32 wherein said 
selecting step is accomplished based on a knowledge base. 

35. (Original) The article of manufacture of claim 30 wherein said 
request is verified using a cryptographic authentication scheme. 

37. (Original) The article of manufacture of claim 36 wherein said stop 
condition is an expiration time. 

38. (Original) The article of manufacture of claim 36 wherein said stop 
condition is based on network traffic conditions. 

39. (Previously Presented) The method of claim 1 , wherein intrusion 
detection services are initiated at a plurality of remote computers selected based on a 
number of intrusion detection platforms that are currently active. 

40. (Previously Presented) The method of claim 1 , wherein intrusion 
detection services are initiated at a plurality of remote computers selected based on 
predetermined numbers of maximum and minimum limits on a number of intrusion 
detection platforms. 

41 . (Previously Presented) The method of claim 1 1 , wherein the stop 
condition applies to all eligible computers. 



7 



42. (Previously Presented) The method of claim 2, further comprising 
monitoring for fulfillment of a stop condition at each of the plurality of remote computers 
executing intrusion detection software. 

43. (Previously Presented) The method of claim 42, wherein the stop 
condition for each of the plurality of computers is based on a time during which each of 
the plurality of computers has been executing instruction detection software. 

44. (New) A method for intrusion detection in a network comprising: 
receiving indication of a possible network intrusion; 

selecting one of a plurality of computers in the network to become an 
intrusion detection platform, wherein selecting one of the plurality of i&e-computers is 
based on the indication of a possible network intrusion; 

sending a request to the selected computer to install and execute intrusion 
detection software, wherein the request is sent in response to the received indication of 
the possible network intrusion; and 

sending a message to the selected computer to cease execution of the 
intrusion detection software when a stop condition is detected, wherein the stop 
condition includes a condition that no intrusion has been detected for a period of time. 

45. (New) The method of claim 44 wherein receiving the indication of a 
possible network intrusion comprises receiving an indication of a part of the network that 
is a target of the possible network intrusion; and 

wherein selecting one of the plurality of computers is based on the 
indication of the target of the possible network intrusion. 

46. (New) The method of claim 45 wherein selecting one of the 
plurality of computers is based on the indication of the target of the possible network 
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intrusion comprises selecting a computer at or near the target of the possible network 
intrusion. 

47. (New) The method of claim 44 wherein selecting one of the 
plurality of computers is based on the indication of a possible network intrusion includes 
selecting of the computer based on an unusual pattern of network traffic. 

48. (New) The method of claim 44 wherein selecting one of the 
plurality of computers if is based on the indication of a possible network intrusion 
includes selecting one of the plurality of computers based on an unusual number of 
incoming network packets directed at a network segment. 
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